metasploit | 17b0f65a3acf878d72123a1648ce0490307ff176abf2117cb23b9ca30417a02e

General

Target

f420bad96029b024d42e23c5b9300e44_JaffaCakes118.exe
Size

477KB
MD5

f420bad96029b024d42e23c5b9300e44
SHA1

79ef3ab63be198ed25851febee5c3bc603dc1d7a
SHA256

17b0f65a3acf878d72123a1648ce0490307ff176abf2117cb23b9ca30417a02e
SHA512

f962d6aeb2bb8e0a1a00a86dd709152542c9dd95750b062da6a86eec7b743e7e8610714663753530497219b21e0f37b8a4a1de204a638a0778cbd1d1e244d370
SSDEEP

12288:HIlKyhSac+JN0So1IImovQdkd2ABbl1HhjGR:olFhSnvSko47HJ6

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 23 IoCs

Processes:

bshj.exemkrn.exegbjz.exeuenq.exenext.exeyvhf.exeknzr.exedfjv.exeoxtg.exezpds.exespnw.exeehxh.exexyhl.exeiqrx.exetijj.exenitm.exeyady.exejsmk.execkwn.exenbgz.exehtql.exestap.exedlsa.exe

pid	process
2368	bshj.exe
2572	mkrn.exe
2492	gbjz.exe
2948	uenq.exe
2816	next.exe
1672	yvhf.exe
2508	knzr.exe
2700	dfjv.exe
1512	oxtg.exe
904	zpds.exe
1952	spnw.exe
988	ehxh.exe
1712	xyhl.exe
2100	iqrx.exe
2556	tijj.exe
2596	nitm.exe
2720	yady.exe
2460	jsmk.exe
2780	ckwn.exe
2824	nbgz.exe
1840	htql.exe
2876	stap.exe
596	dlsa.exe

Loads dropped DLL 46 IoCs

Processes:

f420bad96029b024d42e23c5b9300e44_JaffaCakes118.exebshj.exemkrn.exegbjz.exeuenq.exenext.exeyvhf.exeknzr.exedfjv.exeoxtg.exezpds.exespnw.exeehxh.exexyhl.exeiqrx.exetijj.exenitm.exeyady.exejsmk.execkwn.exenbgz.exehtql.exestap.exe

pid	process
2384	f420bad96029b024d42e23c5b9300e44_JaffaCakes118.exe
2384	f420bad96029b024d42e23c5b9300e44_JaffaCakes118.exe
2368	bshj.exe
2368	bshj.exe
2572	mkrn.exe
2572	mkrn.exe
2492	gbjz.exe
2492	gbjz.exe
2948	uenq.exe
2948	uenq.exe
2816	next.exe
2816	next.exe
1672	yvhf.exe
1672	yvhf.exe
2508	knzr.exe
2508	knzr.exe
2700	dfjv.exe
2700	dfjv.exe
1512	oxtg.exe
1512	oxtg.exe
904	zpds.exe
904	zpds.exe
1952	spnw.exe
1952	spnw.exe
988	ehxh.exe
988	ehxh.exe
1712	xyhl.exe
1712	xyhl.exe
2100	iqrx.exe
2100	iqrx.exe
2556	tijj.exe
2556	tijj.exe
2596	nitm.exe
2596	nitm.exe
2720	yady.exe
2720	yady.exe
2460	jsmk.exe
2460	jsmk.exe
2780	ckwn.exe
2780	ckwn.exe
2824	nbgz.exe
2824	nbgz.exe
1840	htql.exe
1840	htql.exe
2876	stap.exe
2876	stap.exe

Drops file in System32 directory 46 IoCs

Processes:

htql.exeyvhf.exeyady.execkwn.exenitm.exebshj.exenext.exeknzr.exexyhl.exejsmk.exezpds.exeehxh.exetijj.exef420bad96029b024d42e23c5b9300e44_JaffaCakes118.exedfjv.exeiqrx.exeuenq.exeoxtg.exestap.exemkrn.exegbjz.exespnw.exenbgz.exe

description	ioc	process
File created	C:\Windows\SysWOW64\stap.exe	htql.exe
File opened for modification	C:\Windows\SysWOW64\knzr.exe	yvhf.exe
File opened for modification	C:\Windows\SysWOW64\jsmk.exe	yady.exe
File created	C:\Windows\SysWOW64\nbgz.exe	ckwn.exe
File opened for modification	C:\Windows\SysWOW64\yady.exe	nitm.exe
File opened for modification	C:\Windows\SysWOW64\mkrn.exe	bshj.exe
File opened for modification	C:\Windows\SysWOW64\yvhf.exe	next.exe
File created	C:\Windows\SysWOW64\dfjv.exe	knzr.exe
File opened for modification	C:\Windows\SysWOW64\iqrx.exe	xyhl.exe
File created	C:\Windows\SysWOW64\jsmk.exe	yady.exe
File created	C:\Windows\SysWOW64\ckwn.exe	jsmk.exe
File opened for modification	C:\Windows\SysWOW64\ckwn.exe	jsmk.exe
File created	C:\Windows\SysWOW64\mkrn.exe	bshj.exe
File opened for modification	C:\Windows\SysWOW64\spnw.exe	zpds.exe
File opened for modification	C:\Windows\SysWOW64\xyhl.exe	ehxh.exe
File opened for modification	C:\Windows\SysWOW64\nitm.exe	tijj.exe
File opened for modification	C:\Windows\SysWOW64\stap.exe	htql.exe
File created	C:\Windows\SysWOW64\bshj.exe	f420bad96029b024d42e23c5b9300e44_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\oxtg.exe	dfjv.exe
File opened for modification	C:\Windows\SysWOW64\tijj.exe	iqrx.exe
File opened for modification	C:\Windows\SysWOW64\next.exe	uenq.exe
File created	C:\Windows\SysWOW64\zpds.exe	oxtg.exe
File opened for modification	C:\Windows\SysWOW64\dlsa.exe	stap.exe
File created	C:\Windows\SysWOW64\yvhf.exe	next.exe
File opened for modification	C:\Windows\SysWOW64\dfjv.exe	knzr.exe
File created	C:\Windows\SysWOW64\xyhl.exe	ehxh.exe
File created	C:\Windows\SysWOW64\nitm.exe	tijj.exe
File opened for modification	C:\Windows\SysWOW64\bshj.exe	f420bad96029b024d42e23c5b9300e44_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\gbjz.exe	mkrn.exe
File created	C:\Windows\SysWOW64\uenq.exe	gbjz.exe
File created	C:\Windows\SysWOW64\spnw.exe	zpds.exe
File opened for modification	C:\Windows\SysWOW64\ehxh.exe	spnw.exe
File created	C:\Windows\SysWOW64\tijj.exe	iqrx.exe
File created	C:\Windows\SysWOW64\htql.exe	nbgz.exe
File opened for modification	C:\Windows\SysWOW64\gbjz.exe	mkrn.exe
File created	C:\Windows\SysWOW64\next.exe	uenq.exe
File opened for modification	C:\Windows\SysWOW64\oxtg.exe	dfjv.exe
File created	C:\Windows\SysWOW64\ehxh.exe	spnw.exe
File created	C:\Windows\SysWOW64\iqrx.exe	xyhl.exe
File created	C:\Windows\SysWOW64\yady.exe	nitm.exe
File opened for modification	C:\Windows\SysWOW64\nbgz.exe	ckwn.exe
File opened for modification	C:\Windows\SysWOW64\htql.exe	nbgz.exe
File opened for modification	C:\Windows\SysWOW64\uenq.exe	gbjz.exe
File created	C:\Windows\SysWOW64\knzr.exe	yvhf.exe
File opened for modification	C:\Windows\SysWOW64\zpds.exe	oxtg.exe
File created	C:\Windows\SysWOW64\dlsa.exe	stap.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f420bad96029b024d42e23c5b9300e44_JaffaCakes118.exebshj.exemkrn.exegbjz.exeuenq.exenext.exeyvhf.exeknzr.exedfjv.exeoxtg.exezpds.exespnw.exeehxh.exexyhl.exeiqrx.exetijj.exe

description	pid	process	target process
PID 2384 wrote to memory of 2368	2384	f420bad96029b024d42e23c5b9300e44_JaffaCakes118.exe	bshj.exe
PID 2384 wrote to memory of 2368	2384	f420bad96029b024d42e23c5b9300e44_JaffaCakes118.exe	bshj.exe
PID 2384 wrote to memory of 2368	2384	f420bad96029b024d42e23c5b9300e44_JaffaCakes118.exe	bshj.exe
PID 2384 wrote to memory of 2368	2384	f420bad96029b024d42e23c5b9300e44_JaffaCakes118.exe	bshj.exe
PID 2368 wrote to memory of 2572	2368	bshj.exe	mkrn.exe
PID 2368 wrote to memory of 2572	2368	bshj.exe	mkrn.exe
PID 2368 wrote to memory of 2572	2368	bshj.exe	mkrn.exe
PID 2368 wrote to memory of 2572	2368	bshj.exe	mkrn.exe
PID 2572 wrote to memory of 2492	2572	mkrn.exe	gbjz.exe
PID 2572 wrote to memory of 2492	2572	mkrn.exe	gbjz.exe
PID 2572 wrote to memory of 2492	2572	mkrn.exe	gbjz.exe
PID 2572 wrote to memory of 2492	2572	mkrn.exe	gbjz.exe
PID 2492 wrote to memory of 2948	2492	gbjz.exe	uenq.exe
PID 2492 wrote to memory of 2948	2492	gbjz.exe	uenq.exe
PID 2492 wrote to memory of 2948	2492	gbjz.exe	uenq.exe
PID 2492 wrote to memory of 2948	2492	gbjz.exe	uenq.exe
PID 2948 wrote to memory of 2816	2948	uenq.exe	next.exe
PID 2948 wrote to memory of 2816	2948	uenq.exe	next.exe
PID 2948 wrote to memory of 2816	2948	uenq.exe	next.exe
PID 2948 wrote to memory of 2816	2948	uenq.exe	next.exe
PID 2816 wrote to memory of 1672	2816	next.exe	yvhf.exe
PID 2816 wrote to memory of 1672	2816	next.exe	yvhf.exe
PID 2816 wrote to memory of 1672	2816	next.exe	yvhf.exe
PID 2816 wrote to memory of 1672	2816	next.exe	yvhf.exe
PID 1672 wrote to memory of 2508	1672	yvhf.exe	knzr.exe
PID 1672 wrote to memory of 2508	1672	yvhf.exe	knzr.exe
PID 1672 wrote to memory of 2508	1672	yvhf.exe	knzr.exe
PID 1672 wrote to memory of 2508	1672	yvhf.exe	knzr.exe
PID 2508 wrote to memory of 2700	2508	knzr.exe	dfjv.exe
PID 2508 wrote to memory of 2700	2508	knzr.exe	dfjv.exe
PID 2508 wrote to memory of 2700	2508	knzr.exe	dfjv.exe
PID 2508 wrote to memory of 2700	2508	knzr.exe	dfjv.exe
PID 2700 wrote to memory of 1512	2700	dfjv.exe	oxtg.exe
PID 2700 wrote to memory of 1512	2700	dfjv.exe	oxtg.exe
PID 2700 wrote to memory of 1512	2700	dfjv.exe	oxtg.exe
PID 2700 wrote to memory of 1512	2700	dfjv.exe	oxtg.exe
PID 1512 wrote to memory of 904	1512	oxtg.exe	zpds.exe
PID 1512 wrote to memory of 904	1512	oxtg.exe	zpds.exe
PID 1512 wrote to memory of 904	1512	oxtg.exe	zpds.exe
PID 1512 wrote to memory of 904	1512	oxtg.exe	zpds.exe
PID 904 wrote to memory of 1952	904	zpds.exe	spnw.exe
PID 904 wrote to memory of 1952	904	zpds.exe	spnw.exe
PID 904 wrote to memory of 1952	904	zpds.exe	spnw.exe
PID 904 wrote to memory of 1952	904	zpds.exe	spnw.exe
PID 1952 wrote to memory of 988	1952	spnw.exe	ehxh.exe
PID 1952 wrote to memory of 988	1952	spnw.exe	ehxh.exe
PID 1952 wrote to memory of 988	1952	spnw.exe	ehxh.exe
PID 1952 wrote to memory of 988	1952	spnw.exe	ehxh.exe
PID 988 wrote to memory of 1712	988	ehxh.exe	xyhl.exe
PID 988 wrote to memory of 1712	988	ehxh.exe	xyhl.exe
PID 988 wrote to memory of 1712	988	ehxh.exe	xyhl.exe
PID 988 wrote to memory of 1712	988	ehxh.exe	xyhl.exe
PID 1712 wrote to memory of 2100	1712	xyhl.exe	iqrx.exe
PID 1712 wrote to memory of 2100	1712	xyhl.exe	iqrx.exe
PID 1712 wrote to memory of 2100	1712	xyhl.exe	iqrx.exe
PID 1712 wrote to memory of 2100	1712	xyhl.exe	iqrx.exe
PID 2100 wrote to memory of 2556	2100	iqrx.exe	tijj.exe
PID 2100 wrote to memory of 2556	2100	iqrx.exe	tijj.exe
PID 2100 wrote to memory of 2556	2100	iqrx.exe	tijj.exe
PID 2100 wrote to memory of 2556	2100	iqrx.exe	tijj.exe
PID 2556 wrote to memory of 2596	2556	tijj.exe	nitm.exe
PID 2556 wrote to memory of 2596	2556	tijj.exe	nitm.exe
PID 2556 wrote to memory of 2596	2556	tijj.exe	nitm.exe
PID 2556 wrote to memory of 2596	2556	tijj.exe	nitm.exe

C:\Users\Admin\AppData\Local\Temp\f420bad96029b024d42e23c5b9300e44_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f420bad96029b024d42e23c5b9300e44_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2384

C:\Windows\SysWOW64\bshj.exe
C:\Windows\system32\bshj.exe 620 "C:\Users\Admin\AppData\Local\Temp\f420bad96029b024d42e23c5b9300e44_JaffaCakes118.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\SysWOW64\mkrn.exe
C:\Windows\system32\mkrn.exe 540 "C:\Windows\SysWOW64\bshj.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2572

C:\Windows\SysWOW64\gbjz.exe
C:\Windows\system32\gbjz.exe 544 "C:\Windows\SysWOW64\mkrn.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2492

C:\Windows\SysWOW64\uenq.exe
C:\Windows\system32\uenq.exe 556 "C:\Windows\SysWOW64\gbjz.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2948

C:\Windows\SysWOW64\next.exe
C:\Windows\system32\next.exe 568 "C:\Windows\SysWOW64\uenq.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2816

C:\Windows\SysWOW64\yvhf.exe
C:\Windows\system32\yvhf.exe 548 "C:\Windows\SysWOW64\next.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\knzr.exe
C:\Windows\system32\knzr.exe 552 "C:\Windows\SysWOW64\yvhf.exe"
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2508

C:\Windows\SysWOW64\dfjv.exe
C:\Windows\system32\dfjv.exe 560 "C:\Windows\SysWOW64\knzr.exe"
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\SysWOW64\oxtg.exe
C:\Windows\system32\oxtg.exe 564 "C:\Windows\SysWOW64\dfjv.exe"
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\SysWOW64\zpds.exe
C:\Windows\system32\zpds.exe 584 "C:\Windows\SysWOW64\oxtg.exe"
11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\SysWOW64\spnw.exe
C:\Windows\system32\spnw.exe 616 "C:\Windows\SysWOW64\zpds.exe"
12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\SysWOW64\ehxh.exe
C:\Windows\system32\ehxh.exe 588 "C:\Windows\SysWOW64\spnw.exe"
13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:988

C:\Windows\SysWOW64\xyhl.exe
C:\Windows\system32\xyhl.exe 600 "C:\Windows\SysWOW64\ehxh.exe"
14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\SysWOW64\iqrx.exe
C:\Windows\system32\iqrx.exe 576 "C:\Windows\SysWOW64\xyhl.exe"
15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2100

C:\Windows\SysWOW64\tijj.exe
C:\Windows\system32\tijj.exe 596 "C:\Windows\SysWOW64\iqrx.exe"
16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\SysWOW64\nitm.exe
C:\Windows\system32\nitm.exe 640 "C:\Windows\SysWOW64\tijj.exe"
17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2596

C:\Windows\SysWOW64\yady.exe
C:\Windows\system32\yady.exe 608 "C:\Windows\SysWOW64\nitm.exe"
18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2720

C:\Windows\SysWOW64\jsmk.exe
C:\Windows\system32\jsmk.exe 604 "C:\Windows\SysWOW64\yady.exe"
19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2460

C:\Windows\SysWOW64\ckwn.exe
C:\Windows\system32\ckwn.exe 612 "C:\Windows\SysWOW64\jsmk.exe"
20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2780

C:\Windows\SysWOW64\nbgz.exe
C:\Windows\system32\nbgz.exe 644 "C:\Windows\SysWOW64\ckwn.exe"
21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2824

C:\Windows\SysWOW64\htql.exe
C:\Windows\system32\htql.exe 632 "C:\Windows\SysWOW64\nbgz.exe"
22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1840

C:\Windows\SysWOW64\stap.exe
C:\Windows\system32\stap.exe 592 "C:\Windows\SysWOW64\htql.exe"
23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2876

C:\Windows\SysWOW64\dlsa.exe
C:\Windows\system32\dlsa.exe 648 "C:\Windows\SysWOW64\stap.exe"
24⤵
- Executes dropped EXE
PID:596

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\bshj.exe
Filesize
477KB

MD5
f420bad96029b024d42e23c5b9300e44

SHA1
79ef3ab63be198ed25851febee5c3bc603dc1d7a

SHA256
17b0f65a3acf878d72123a1648ce0490307ff176abf2117cb23b9ca30417a02e

SHA512
f962d6aeb2bb8e0a1a00a86dd709152542c9dd95750b062da6a86eec7b743e7e8610714663753530497219b21e0f37b8a4a1de204a638a0778cbd1d1e244d370

Download Submit
memory/904-145-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/904-146-0x00000000024E0000-0x00000000025F0000-memory.dmp

Filesize
1.1MB

Download
memory/904-159-0x0000000003DF0000-0x00000000042D4000-memory.dmp

Filesize
4.9MB

Download
memory/904-163-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/988-176-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/988-193-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/988-177-0x00000000024C0000-0x00000000025D0000-memory.dmp

Filesize
1.1MB

Download
memory/1512-132-0x00000000024F0000-0x0000000002600000-memory.dmp

Filesize
1.1MB

Download
memory/1512-131-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/1512-148-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/1672-106-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/1672-90-0x00000000025A0000-0x00000000026B0000-memory.dmp

Filesize
1.1MB

Download
memory/1672-89-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/1712-208-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/1712-204-0x0000000003E90000-0x0000000004374000-memory.dmp

Filesize
4.9MB

Download
memory/1712-190-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/1712-191-0x0000000002620000-0x0000000002730000-memory.dmp

Filesize
1.1MB

Download
memory/1952-175-0x0000000003E90000-0x0000000004374000-memory.dmp

Filesize
4.9MB

Download
memory/1952-174-0x0000000003E90000-0x0000000004374000-memory.dmp

Filesize
4.9MB

Download
memory/1952-179-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/1952-161-0x0000000002630000-0x0000000002740000-memory.dmp

Filesize
1.1MB

Download
memory/1952-160-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/2100-205-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/2100-221-0x0000000003EC0000-0x00000000043A4000-memory.dmp

Filesize
4.9MB

Download
memory/2100-206-0x00000000024E0000-0x00000000025F0000-memory.dmp

Filesize
1.1MB

Download
memory/2100-219-0x0000000003EC0000-0x00000000043A4000-memory.dmp

Filesize
4.9MB

Download
memory/2100-224-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/2368-30-0x0000000003EE0000-0x00000000043C4000-memory.dmp

Filesize
4.9MB

Download
memory/2368-34-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/2368-29-0x0000000003EE0000-0x00000000043C4000-memory.dmp

Filesize
4.9MB

Download
memory/2368-15-0x0000000002530000-0x0000000002640000-memory.dmp

Filesize
1.1MB

Download
memory/2368-13-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/2384-0-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/2384-18-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/2384-17-0x0000000002430000-0x0000000002540000-memory.dmp

Filesize
1.1MB

Download
memory/2384-14-0x0000000003EF0000-0x00000000043D4000-memory.dmp

Filesize
4.9MB

Download
memory/2384-11-0x0000000003EF0000-0x00000000043D4000-memory.dmp

Filesize
4.9MB

Download
memory/2384-1-0x0000000002430000-0x0000000002540000-memory.dmp

Filesize
1.1MB

Download
memory/2492-48-0x00000000025B0000-0x00000000026C0000-memory.dmp

Filesize
1.1MB

Download
memory/2492-64-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/2492-47-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/2508-120-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/2508-104-0x0000000002560000-0x0000000002670000-memory.dmp

Filesize
1.1MB

Download
memory/2508-103-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/2556-220-0x00000000025D0000-0x00000000026E0000-memory.dmp

Filesize
1.1MB

Download
memory/2556-222-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/2556-239-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/2556-235-0x0000000003E60000-0x0000000004344000-memory.dmp

Filesize
4.9MB

Download
memory/2572-31-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/2572-50-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/2572-46-0x0000000003F10000-0x00000000043F4000-memory.dmp

Filesize
4.9MB

Download
memory/2572-45-0x0000000003F10000-0x00000000043F4000-memory.dmp

Filesize
4.9MB

Download
memory/2572-32-0x0000000002570000-0x0000000002680000-memory.dmp

Filesize
1.1MB

Download
memory/2596-236-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/2596-237-0x0000000002540000-0x0000000002650000-memory.dmp

Filesize
1.1MB

Download
memory/2700-134-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/2700-118-0x00000000024C0000-0x00000000025D0000-memory.dmp

Filesize
1.1MB

Download
memory/2700-117-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/2816-92-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/2816-75-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/2816-76-0x0000000002530000-0x0000000002640000-memory.dmp

Filesize
1.1MB

Download
memory/2948-61-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/2948-62-0x0000000002480000-0x0000000002590000-memory.dmp

Filesize
1.1MB

Download
memory/2948-78-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads